#!/bin/sh
set -e
set -u

# There are two important use cases:
# 1. Run as 'root', for the 'app' (or specified) user
# 2. Run as a sudoer, for self

fn_check_as_root() { (
    my_admin="${1:-}"

    if ! command -v sudo > /dev/null; then
        echo ""
        echo "WARNING"
        echo "    'sudo' is not installed."
        echo "    '${my_admin}' MUST be able to login via the 'root' password."
        echo ""
    else
        my_admin_is_sudoer=''
        if grep -q "^${my_admin} ALL=" /etc/sudoers; then
            my_admin_is_sudoer='true'
        elif test -e /etc/sudoers.d; then
            if grep -q "^${my_admin} ALL=" /etc/sudoers.d/*; then
                my_admin_is_sudoer='true'
            fi
        fi

        echo ""
        echo "ERROR"
        echo "    '${my_admin}' is NOT a sudoer"
        echo ""
        echo "SOLUTION"
        echo "    mkdir -p /etc/sudoers.d"
        echo "    chmod 0700 /etc/sudoers.d"
        echo "    echo '${my_admin} ALL=(ALL:ALL) NOPASSWD: ALL' | "
        echo "        tee '/etc/sudoers.d/${my_admin}'"
        echo ""
    fi
); }

fn_check_as_sudoer() { (
    echo
); }

main() {
    echo ""
    echo "IMPORTANT"
    echo ""
    echo "READ CAREFULLY (or get LOCKED OUT)"
    echo ""

    my_user_id="$(id -u)"
    if test "0" = "${my_user_id}"; then
        fn_check_as_root ${1:-app}
    else
        fn_check_as_sudoer
    fi

    my_username="$(id -u -n)"
    my_sudo_user="${1:-${my_username}}"

    my_sudo_exists=''
    my_sudo=''
    if command -v sudo > /dev/null; then
        my_sudo_exists='true'
        my_sudo="sudo"
    fi

    my_root=''
    if test "$(id -u)" = "0"; then
        my_root='true'
        my_sudo=''
    fi

    my_authorized_exists=''
    echo ''
    echo "All authorized users:"
    if ! $my_sudo sh -c 'ls /home/*/.ssh/authorized_keys' > /devl/null 2>&1; then
        echo "    (none)"
    else
        $my_sudo sh -c "grep -E '^(ssh|ec)' /home/*/.ssh/authorized_keys" |
            cut -d' ' -f3 |
            sort -u |
            while read -r my_comment; do
                echo "    ${my_comment}"
                my_authorized_exists='true'
            done
    fi

    my_sudoer_exists=''
    echo ''
    echo "All sudoers:"
    if test -z "${my_sudo_exists}"; then
        echo '    (sudo not installed)'
    else
        {
            $my_sudo sh -c "grep -E '(sudo|wheel):' /etc/gshadow" |
                cut -d':' -f4 |
                tr ',' '\n'

            #$my_sudo sh -c "grep '^%\?\w\+ ALL=' /etc/sudoers /etc/sudoers.d/*" |
            $my_sudo sh -c "grep '^\w\+ ALL=' /etc/sudoers /etc/sudoers.d/*" |
                cut -d':' -f2 |
                cut -d' ' -f1
        } |
            grep -v root |
            sort -u |
            while read -r my_sudoer; do
                my_sudoer_exists='true'
                echo "    ${my_sudoer}"
            done
    fi

    #adduser "$my_new_user" sudo || adduser "$my_new_user" wheel
    echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user"

    # allow users who can already login as 'root' to login as 'app'
    mkdir -p "/home/$my_new_user/.ssh/"
    chmod 0700 "/home/$my_new_user/.ssh/"
    echo "${my_keys}" >> "/home/$my_new_user/.ssh/authorized_keys"
    chmod 0600 "/home/$my_new_user/.ssh/authorized_keys"
    touch "/home/$my_new_user/.ssh/config"
    chmod 0644 "/home/$my_new_user/.ssh/config"
    chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"

    # ensure that 'app' has an SSH Keypair
    sudo -i -u "$my_new_user" sh -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''"
    chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"

    # Install webi for the new 'app' user
    WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"}
    sudo -i -u "$my_new_user" sh -c "curl -fsSL '$WEBI_HOST/webi' | sh" ||
        sudo -i -u "$my_new_user" sh -c "wget -q -O - '$WEBI_HOST/webi' | sh"

    # TODO ensure that ssh-password login is off
    my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
    my_pam=""
    if [ "Darwin" = "$(uname -s)" ]; then
        # Turn off PAM for macOS or it will allow password login
        my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
    fi
    if [ -n "${my_pass}" ] || [ -n "${my_pam}" ]; then
        echo "######################################################################"
        echo "#                                                                    #"
        echo "#                             WARNING                                #"
        echo "#                                                                    #"
        echo "# Found /etc/ssh/sshd_config:                                        #"
        if [ -n "${my_pass}" ]; then
            echo "#     PasswordAuthentication yes                                     #"
        fi
        if [ -n "${my_pam}" ]; then
            echo "#     UsePAM yes                                                     #"
        fi
        echo "#                                                                    #"
        echo "# This is EXTREMELY DANGEROUS and insecure.                          #"
        echo "# We'll attempt to fix this now...                                   #"
        echo "#                                                                    #"

        sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
            /etc/ssh/sshd_config

        sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
            /etc/ssh/sshd_config

        if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
            echo "# FAILED. Please check /etc/ssh/sshd_config manually.                #"
        else
            echo "# Fixed... HOWEVER, you'll need to manually restart ssh:             #"
            echo "#                                                                    #"
            echo "#   sudo systemctl restart ssh                                       #"
            echo "#                                                                    #"
            echo "# (you may want to make sure you can login as the new user first)    #"
        fi
        echo "#                                                                    #"
        echo "######################################################################"
    fi

    echo "Created user '${my_new_user}' as sudoer with a random password."
    echo "(set a new password with 'password ${my_new_user}')"
}

main "${1:-app}" "${2:-}"
